Policy —

How might the feds have snooped on Lavabit?

Founder no longer thinks his encrypted e-mail service can withstand secret court orders.

How might the feds have snooped on Lavabit?

In 2004, a 22-year-old technology enthusiast named Ladar Levison hatched a venture that fused his passion for open-source software with his belief that privacy was a fundamental right. Using the OpenSSL cryptography library, the Linux-based operating system, and close to 10,000 programming hours, he built what ultimately became Lavabit, an e-mail service that, when used correctly, made it impossible for even him to read the encrypted messages stored on his servers.

The goal from the start was to develop a technical underpinning that would resist the secret National Security Letters (NSLs) that had been authorized under the PATRIOT Act of 2001. Short for Providing Appropriate Tools Required to Intercept and Obstruct Terrorism, the statute required service providers to surrender private data relating to users named in an NSL.

Even more disturbing to Levison, the law strictly prohibited providers from disclosing the existence of the secret demand, which, unlike normal subpoenas, were issued without the oversight of a legal court. (The constitutionality of those gag orders has been called into question by at least one recent court order.) Levison's plan was simple enough—use multiple levels of encryption to ensure that only someone who knows the user-chosen password protecting each account could decode the protected messages. Because Lavabit stored the passwords as one-way hashes that were generated by a complex cryptographic algorithm, even Lavabit operators were unable to obtain the plain-text characters.

Over the decade that followed, the service developed a loyal following. By earlier this year, it was generating annual revenue of about $100,000 from about 10,000 paying customers and courted another 400,000 people registered to use its free service. Its most visible milestone came in July when several human rights groups received an e-mail from edsnowden@lavabit.com, an address belonging to Edward Snowden, the former National Security Agency contractor charged with espionage after revealing an expansive surveillance program involving ordinary Americans. But rather than fuel even more explosive growth, the high-profile endorsement was quickly followed by a message announcing Lavabit's immediate closure. Levison declined to say whether there was any connection between the closure and the revelation that Snowden used the service.

Levison said he has always known Lavabit safeguards could be bypassed if government agents took drastic measures, or as he put it, "if the government was willing to sacrifice the privacy of many to conduct surveillance on the few." For instance, if he was forced to change the code used when a user logs in, his system could capture the plain-text password needed to decrypt stored e-mails. Similarly, if he was ever forced to turn over the private encryption key securing his site's HTTPS certificate, government agents tapping a connection could observe the password as a user was entering it. But it was only in the past few weeks that he became convinced those risks were realistic.

"I don't know if I'm off my rocker, but 10 years ago, I think it would have been unheard of for the government to demand source code or to make a change to your source code or to demand your SSL key," Levison told Ars. "What I've learned recently makes me think that's not as crazy an assumption as I thought."

Levison was very limited in what he would say. His lawyer has suggested he's bound by a legal gag order. Asked if he or Lavabit has received a National Security Letter or any sort of classified court order, he response is: "I can neither confirm nor deny that." But he was willing to talk with us about how his system was constructed, the assumptions he used to hold, and the assumptions he holds now. That allows us to explore what, hypothetically, the government may have been asking for—giving insight into the strategies and methods of the national security agencies. Security consultant Mark Burnett recently posted his own speculation about what the government might have asked Lavabit to do.

To prevent even operators from being able to decrypt user e-mail stored on servers, Lavabit deployed multiple levels of cryptographic protections. Messages were encrypted with a user's public key and could only be decrypted with a corresponding private key. That private key was itself encrypted and could only be decoded when the end-user entered a password. For safekeeping, the password was never stored as plaintext on Lavabit servers, according to documentation Levison provided to users. The password was combined with a cryptographic "salt" and was then hashed using multiple iterations of the SHA512 cryptographic function. Once a user entered the correct password, it would unlock the private key, which in turn decoded an encrypted e-mail.

The system was further designed to scrub the plaintext password and the unencrypted private key from server memory as soon as a transaction was completed. That was intended to make it impossible to decipher the messages by anyone who didn't have the human-readable password. Even if the servers were rooted by hackers or accessed by government agents, all the intruders would be able to access were one-way hashes and the encrypted messages. Since it's cryptographically impossible to reverse a hash, the secrets would remain secure. At least in theory, that meant the only way a hacker or government snoop could defeat the system and decrypt a user's e-mail was to crack the hashes using cracking dictionaries or brute-force attacks, both of which are impractical when users have chosen extremely long, randomly generated passwords.

All along, Levison spotted at least two ways his system could be subverted. The first was for an adversary to obtain the private key his server used to HTTPS encrypt the password and other sensitive data as it traveled between the user and the Lavabit server. The other was that Levison could somehow be forced to rewrite his source code and build a trap for users. For instance, Levison or anyone else with control over Lavabit might redesign the system so plaintext passwords were written to a log as soon as they were entered by the user, rather than being scrubbed from the system. Levison believed he had legal protections that would prevent the government from exploiting either weakness. After all, he had never heard of service providers being compelled to reveal the private key used to authenticate and encrypt HTTPS connections. Similarly, he was aware of no precedent mandating service providers change source code against their will.

"In terms of policy, I always believed that even though those were theoretical vulnerabilities, they couldn't be exploited because basically they would be requiring me to do things that I didn't think the law would allow for," he said. "I have reason to believe, not necessarily in relation to anything involving Lavabit but just in talking to other people in the industry and cryptography experts, that that assumption doesn't necessarily hold true anymore." He declined to identify the industry people he talked to. On Monday, the Lavabit Legal Defense Fund said it has raised $140,000 from more than 4,000 donors.

Remember Hushmail?

Government officials didn't immediately respond to a request for comment, so there's no way to independently confirm the suspicions. Assuming they're true, this wouldn't be the first time a service has changed the behavior of its software to assist government investigators. In 2007, Hushmail, an encrypted e-mail provider with similar technical protections as Lavabit, turned over 12-CDs-worth of e-mails from three account users named in a Canadian court order targeting illegal steroids distribution, a Wired journalist reported at the time. A Hushmail CTO told the publication of a general vulnerability in the service that involved the possible logging of a plain-text password when the user accesses the service.

"In the case of the alleged steroid dealer, the feds seemed to compel Hushmail to exploit this hole, store the suspects' secret passphrase or decryption key, decrypt their messages, and hand them over," Wired reporter Ryan Singel wrote.

Levison's comments are also in keeping with recent reporting from CNET's Declan McCullagh, who said the federal government has attempted to obtain the master encryption keys Internet companies use to protect users' private Web communications from eavesdropping.

Despite the parallels, however, both practices would be "outrageous" if feds actually forced them on Lavabit, said Jon Callas, who is co-founder and CTO of SilentCircle, a privacy startup that dismantled its encrypted e-mail service hours after Levison shuttered Lavabit. (The company's services for encrypting cell phone conversations and text messages remain in place.)

"I have been told that they cannot change your fundamental business practices," said Callas, who unlike Levison was able to say SilentCircle has received no NSLs or court orders of any kind. "I presume that would mean things like getting SSL keys because that would mean they could impersonate your servers. That would be like setting up a store front that says your business name and putting [government agents] in your company uniforms." Similarly, he added: "They cannot make changes to existing operating systems. They can't make you change source code."

To which Levison replied: "That was always my understanding, too. That's why this is so important. Like [Callas] at SilentCircle said, the assumption has been that the government can't force us to change our business practices like that and compromise that information. Like I said, I don't hold those beliefs anymore."

Article updated to add link from Mark Burnett post.

Channel Ars Technica